gcp proxy now uses kubernetes secrets

bin/build_proxies.sh

@@ -3,7 +3,9 @@
 #
 # If you change any proxies:
 # 1. update the returned version(s) in the Send-Version.xml of the affected proxies
-# 2. run this script to generate proxies.go and check in your changes.
+# 2. run this script to generate proxies.go 
+# 3. run `go mod tidy` to remove the go-bindata dep from your mod and sum files
+# 4. check in your changes
 #
 
 SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

proxies/remote-proxy-gcp/apiproxy/policies/Assign-Debug.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Debug">
+    <DisplayName>Assign Debug</DisplayName>
+    <Properties/>
+    <AssignVariable>
+        <Name>key</Name>
+        <Ref>private.secret.remote-service.key</Ref>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>crt</Name>
+        <Ref>private.secret.remote-service.crt</Ref>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>kid</Name>
+        <Ref>private.secret.remote-service.properties.kid</Ref>
+    </AssignVariable>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+    <AssignTo createNew="false" transport="http" type="request"/>
+</AssignMessage>

proxies/remote-proxy-gcp/apiproxy/policies/Generate-Access-Token.xml

@@ -3,8 +3,8 @@
     <DisplayName>Generate Access Token</DisplayName>
     <Algorithm>RS256</Algorithm>
     <PrivateKey>
-        <Value ref="private.privateKey"/>
-        <Id ref="private.certificate1_kid"/>
+        <Value ref="private.secret.remote-service.key"/>
+        <Id ref="private.secret.remote-service.properties.kid"/>
     </PrivateKey>
     <Issuer ref="iss"/>
     <Audience>remote-service-client</Audience>
@@ -19,4 +19,4 @@
         <Claim name="scopes" ref="scope" type="string" array="true"/>
     </AdditionalClaims>
     <OutputVariable>jwtmessage</OutputVariable>
-</GenerateJWT>
+</GenerateJWT>

proxies/remote-proxy-gcp/apiproxy/policies/Generate-VerifyKey-Token.xml

@@ -3,8 +3,8 @@
     <DisplayName>Generate VerifyKey Token</DisplayName>
     <Algorithm>RS256</Algorithm>
     <PrivateKey>
-        <Value ref="private.privateKey"/>
-        <Id ref="private.certificate1_kid"/>
+        <Value ref="private.secret.remote-service.key"/>
+        <Id ref="private.secret.remote-service.properties.kid"/>
     </PrivateKey>
     <Issuer ref="iss"/>
     <Audience>remote-service-client</Audience>
@@ -17,4 +17,4 @@
         <Claim name="developer_email" ref="apigee.developer.email"/>
     </AdditionalClaims>
     <OutputVariable>jwtmessage</OutputVariable>
-</GenerateJWT>
+</GenerateJWT>

proxies/remote-proxy-gcp/apiproxy/policies/Raise-Fault-Missing-Secret.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<RaiseFault async="false" continueOnError="false" enabled="true" name="Raise-Fault-Missing-Secret">
+    <DisplayName>Raise Fault Missing Secret</DisplayName>
+    <Properties/>
+    <FaultResponse>
+        <Set>
+            <Headers/>
+            <Payload contentType="application/json" variablePrefix="@" variableSuffix="#">
+{
+    "error":"configuration_error",
+    "error_description": "server not configured for JWT support"
+}
+            </Payload>
+            <StatusCode>500</StatusCode>
+            <ReasonPhrase>Server Error</ReasonPhrase>
+        </Set>
+    </FaultResponse>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</RaiseFault>

proxies/remote-proxy-gcp/apiproxy/policies/Send-JWKs-Message.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<AssignMessage async="false" continueOnError="false" enabled="true" name="Send-JWKs-Message">
+    <DisplayName>Send JWKs Message</DisplayName>
+    <Properties/>
+    <Set>
+        <Headers/>
+        <!-- .crt is actually JWKs JSON -->
+        <Payload contentType="application/json" variablePrefix="@" variableSuffix="#">@private.secret.remote-service.crt#</Payload>
+        <StatusCode>200</StatusCode>
+    </Set>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</AssignMessage>

proxies/remote-proxy-gcp/apiproxy/policies/Send-Version.xml

@@ -7,10 +7,8 @@
             <Header name="Cache-Control">public, max-age=604800</Header>
             <Header name="Content-Type">application/json</Header>
         </Headers>
-        <Payload contentType="application/json">
-        {"version":"1.0.0"}
-    </Payload>
+        <Payload contentType="application/json">{"version":"1.0.0"}</Payload>
     </Set>
     <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
     <AssignTo createNew="false" transport="http" type="request"/>
-</AssignMessage>
+</AssignMessage>

proxies/remote-proxy-gcp/apiproxy/proxies/default.xml

@@ -6,6 +6,10 @@
         <Flow name="Verify API Key">
             <Description/>
             <Request>
+                <Step>
+                    <Name>Raise-Fault-Missing-Secret</Name>
+                    <Condition>private.secret.remote-service.key is null || private.secret.remote-service.properties.kid is null</Condition>
+                </Step>
                 <Step>
                     <Name>Verify-API-Key</Name>
                 </Step>
@@ -28,9 +32,6 @@
                 <Step>
                     <Name>Products-to-JSON</Name>
                 </Step>
-                <Step>
-                    <Name>Get-Private-Key</Name>
-                </Step>
                 <Step>
                     <Name>Set-JWT-Variables</Name>
                 </Step>
@@ -62,6 +63,10 @@
         <Flow name="Obtain Access Token">
             <Description/>
             <Request>
+                <Step>
+                    <Name>Raise-Fault-Missing-Secret</Name>
+                    <Condition>private.secret.remote-service.key is null || private.secret.remote-service.properties.kid is null</Condition>
+                </Step>
                 <Step>
                     <Name>Clear-API-Key</Name>
                 </Step>
@@ -94,9 +99,6 @@
                 <Step>
                     <Name>Set-JWT-Variables</Name>
                 </Step>
-                <Step>
-                    <Name>Get-Private-Key</Name>
-                </Step>
                 <Step>
                     <Name>Generate-Access-Token</Name>
                 </Step>
@@ -111,6 +113,10 @@
         <Flow name="Refresh Access Token">
             <Description/>
             <Request>
+                <Step>
+                    <Name>Raise-Fault-Missing-Secret</Name>
+                    <Condition>private.secret.remote-service.key is null || private.secret.remote-service.properties.kid is null</Condition>
+                </Step>
                 <Step>
                     <Name>Clear-API-Key</Name>
                 </Step>
@@ -136,9 +142,6 @@
                 <Step>
                     <Name>Set-JWT-Variables</Name>
                 </Step>
-                <Step>
-                    <Name>Get-Private-Key</Name>
-                </Step>
                 <Step>
                     <Name>Generate-Access-Token</Name>
                 </Step>
@@ -171,19 +174,17 @@
             <Description>This flow returns public keys as JWK</Description>
             <Request>
                 <Step>
-                    <Name>Get-Public-Keys</Name>
+                    <Name>Assign-Debug</Name>
                 </Step>
                 <Step>
-                    <Name>Raise-Fault-Unknown-Request</Name>
-                    <Condition>private.certificate1 is null or private.certificate1_kid is null</Condition>
-                </Step>
-                <Step>
-                    <Name>Generate-JWK</Name>
+                    <!-- .crt is actually JWKs JSON -->
+                    <Name>Raise-Fault-Missing-Secret</Name>
+                    <Condition>private.secret.remote-service.crt is null</Condition>
                 </Step>
             </Request>
             <Response>
                 <Step>
-                    <Name>Send-JWK-Message</Name>
+                    <Name>Send-JWKs-Message</Name>
                 </Step>
             </Response>
             <Condition>(proxy.pathsuffix MatchesPath "/certs") and (request.verb = "GET")</Condition>
@@ -198,29 +199,6 @@
             </Response>
             <Condition>(proxy.pathsuffix MatchesPath "/version") and (request.verb = "GET")</Condition>
         </Flow>
-        <Flow name="Rotate Key">
-            <Description/>
-            <Request>
-                <Step>
-                    <Name>Verify-API-Key</Name>
-                </Step>
-                <Step>
-                    <Name>Extract-Rotate-Variables</Name>
-                </Step>
-                <Step>
-                    <Name>Raise-Fault-Unknown-Request</Name>
-                    <Condition>certificate1 is null or certificate1_kid is null or private_key is null</Condition>
-                </Step>
-                <Step>
-                    <Name>Retrieve-Cert</Name>
-                </Step>
-                <Step>
-                    <Name>Update-Keys</Name>
-                </Step>
-            </Request>
-            <Response/>
-            <Condition>(proxy.pathsuffix MatchesPath "/rotate") and (request.verb = "POST")</Condition>
-        </Flow>
         <Flow name="DistributedQuota">
             <Request>
                 <Step>